Log in Features Pricing FAQ
ITENES
14-day free trial
← Back to home

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of EU Regulation 2016/679 ("GDPR") between:

  • The Restaurant ("Controller") — the entity that registers on the Blero platform and uses the Service to manage the bookings of its end customers;
  • Nexora Venture Studio Srl, with registered office in Piazza della Repubblica 19, 20124 Milano, VAT number IT00000000000 ("Blero" or "Processor") — the provider of the SaaS reservation management platform.

This DPA forms an integral part of the Terms of Service and applies automatically to all Controllers using the Blero platform. Use of the Service implies acceptance of this DPA.

1. Definitions

Terms used in this DPA have the meaning given by the GDPR and the Terms of Service. In particular:

  • Personal Data: any information relating to an identified or identifiable natural person (Art. 4 GDPR), processed by Blero on behalf of the Controller within the Service.
  • Processing: any operation or set of operations performed on Personal Data, whether or not by automated means (Art. 4 GDPR).
  • Data Subject: the natural person whose Personal Data is processed — in the context of this DPA, the customer of the restaurant making a booking.
  • Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • Sub-processor: any third party engaged by Blero to carry out specific processing activities on behalf of the Controller.

2. Subject matter and duration of processing

2.1 Subject matter

Blero processes Personal Data of the restaurant's customers exclusively to provide the booking management Service, as described in the Terms of Service and in this DPA.

2.2 Duration

The processing lasts for the period during which the Controller uses the Service, plus a maximum period of 30 days from account termination for data deletion operations, except where a different legal obligation applies.

2.3 Nature and purposes of processing

The processing covers the following operations, carried out exclusively for the indicated purposes:

OperationPurpose
Collection and storage of identifying data (first name, last name, phone, email)Booking management and service communications
Sending OTP codes via SMSPhone number verification and prevention of fraudulent bookings and no-shows
Sending transactional emails (confirmation, reminder, modification, cancellation)Performance of the booking service
Sending review requestsRestaurant reputation management (can be disabled)
Storage of booking historyCustomer relationship management
Automatic cleanup of expired data (GDPR cron)Compliance with the retention period set by the Controller
Storage of marketing consentRecording of the data subject's will (if enabled by the Controller)

2.4 Categories of Data Subjects

Restaurant customers who make bookings through the public page or whose data is entered manually by the restaurant staff.

2.5 Categories of Personal Data

  • Identifying data: first name, last name
  • Contact data: phone number (prefix + number), email address
  • Booking data: date, time, number of guests, preferences (area, requirements), free notes
  • Technical data: cancellation/modification token (SHA-256 hash), idempotency key, preferred language
  • Aggregated data: first/last booking date, booking counter, SMS verification status
  • Marketing consent: flag and timestamp (if enabled by the Controller)

No special categories of data under Art. 9 GDPR, nor data relating to criminal convictions under Art. 10 GDPR, are processed.

3. Obligations of the Processor (Blero)

Blero undertakes to:

3.1 Process Personal Data exclusively on the basis of the documented instructions of the Controller, including those contained in the Terms of Service, in the restaurant configuration and in this DPA, except where required by Union or Member State law to which the Processor is subject.

3.2 Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Adopt all technical and organisational measures required by Art. 32 GDPR, as described in Section 7 of this DPA.

3.4 Comply with the conditions for engaging Sub-processors set out in Section 5 of this DPA.

3.5 Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for the exercise of Data Subjects' rights under Chapter III of the GDPR.

3.6 Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32-36 GDPR, taking into account the nature of processing and the information available to the Processor.

3.7 At the choice of the Controller, delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

3.8 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this article and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Obligations of the Controller (Restaurant)

The Controller undertakes to:

4.1 Provide its customers with a complete privacy notice compliant with Art. 13 GDPR, using the tools made available by the platform (privacy editor in the configuration panel) or its own notice.

4.2 Ensure the lawfulness of the processing, including the identification of an appropriate legal basis for each processing purpose.

4.3 Define the retention period of the data through the configuration available in the admin panel ("Data retention" field in the Privacy tab).

4.4 Notify Blero, without undue delay, of any change to the processing instructions that may affect Blero's ability to comply with this DPA.

4.5 If the Controller activates the marketing consent collection feature, ensure that such collection is carried out in compliance with applicable regulations and assume full responsibility for the subsequent promotional communications sent to customers based on such consent.

5. Sub-processors

5.1 General authorisation

The Controller authorises Blero to engage Sub-processors to carry out specific processing activities on its behalf. Blero undertakes to enter into an agreement with each Sub-processor imposing data protection obligations substantially equivalent to those set out in this DPA.

5.2 List of Sub-processors

As of the date of this DPA, Blero engages the following Sub-processors:

Sub-processor Service Location Transfer safeguards
Xano, Inc.Backend, PostgreSQL databaseEU (Germany)Data in EU, DPA
Vercel, Inc.Frontend hostingUSAStandard Contractual Clauses (SCC), DPA
Paddle.com Market LtdPayments (Merchant of Record)UK / EUDPA, Paddle Privacy Policy
SMSAPI (MessageBird)OTP SMS sendingEU (Poland)Data in EU, DPA
Resend, Inc.Transactional emailsUSAStandard Contractual Clauses (SCC), DPA

Note: Paddle acts as Merchant of Record and processes payment data (credit card, billing) autonomously as an independent Controller. Payment data never transits through Blero's servers.

5.3 Changes to Sub-processors

Blero will notify the Controller of any changes to the list of Sub-processors (addition or replacement) with at least 30 days' notice, by email to the address registered in the account. The Controller may object to the change within 15 days of the notification; in case of objection, the parties will consult in good faith to find a reasonable solution. If no agreement is reached, the Controller may terminate the contract with respect to the part of the Service affected by the contested Sub-processor.

5.4 Liability

Blero remains fully liable to the Controller for the performance of the Sub-processors' obligations.

6. International data transfers

6.1 General principle

Personal Data is processed predominantly within the European Economic Area (EEA). The main database (Xano) and the SMS service (SMSAPI) are based in the European Union.

6.2 Transfers to third countries

Some Sub-processors (Vercel, Resend) are based in the United States. Such transfers take place exclusively on the basis of:

  • Standard Contractual Clauses (SCC) approved by the European Commission with Implementing Decision (EU) 2021/914;
  • Adequate supplementary technical and organisational measures, including encryption of data in transit (TLS/HTTPS) and, where available, encryption at rest.

6.3 Additional information

The Controller may request from Blero a copy of the SCCs signed with Sub-processors by writing to privacy@blero.io.

7. Security measures

Blero adopts the following technical and organisational measures pursuant to Art. 32 GDPR:

7.1 Technical measures

  • Encryption in transit: HTTPS/TLS on all communications between client, frontend and backend.
  • Secure authentication: bcrypt hash for user passwords; SHA-256 hash with dedicated salt for API keys and staff keys.
  • Session management: JWT with 24-hour expiry; single session per staff key (single session enforcement).
  • Multi-tenant isolation: every database query is filtered by account_id, preventing access to data of other restaurants.
  • Rate limiting: per-endpoint configurable limits, with specific thresholds for the public booking APIs (100 req/min per IP).
  • SMS anti-abuse protection: daily SMS sending limit per phone number; OTP codes with time-based expiry and a maximum number of attempts.
  • Secure tokens: booking cancellation and modification tokens are generated via SHA-256 hash and contain no personal data.
  • Input sanitisation: validation and sanitisation of all user input; configured CORS.
  • Automatic anonymisation: GDPR cron job that anonymises customer data upon expiry of the retention period configured by the Controller.

7.2 Organisational measures

  • Access to production systems limited to strictly necessary personnel.
  • Periodic review of access authorisations.
  • Personnel training in data protection.
  • Documented procedures for handling security incidents.

8. Personal Data Breach

8.1 Notification

Blero will notify the Controller of any Personal Data Breach without undue delay and, where feasible, within 48 hours of becoming aware of it. The notification will be sent to the email address of the Controller's account and will contain:

  • The nature of the breach, including, where possible, the categories and approximate number of Data Subjects involved;
  • The name and contact details of the contact point where more information can be obtained;
  • The likely consequences of the breach;
  • The measures taken or proposed to remedy the breach and mitigate its possible adverse effects.

8.2 Assistance

Blero will assist the Controller in fulfilling the notification obligations under Articles 33 and 34 GDPR, providing the information reasonably available about the breach.

8.3 Documentation

Blero will document any Personal Data Breach, including the facts relating to the breach, its effects and the measures taken, by recording in the system logs (webhook_logs).

9. Data Subjects' rights

9.1 Assistance

Blero will assist the Controller, by appropriate technical and organisational measures, in fulfilling Data Subjects' requests relating to the exercise of the rights provided for in Articles 15-22 GDPR (access, rectification, erasure, restriction, portability, objection).

9.2 Procedure

Should Blero receive a request directly from a Data Subject relating to data processed on behalf of the Controller, Blero will promptly inform the Controller and will not act on the request autonomously, unless authorised by the Controller or required by law.

9.3 Platform features

The Blero platform offers the Controller tools for managing customer data, including: viewing, modifying and deleting customer records; data export; configuration of the retention period with automatic cleanup.

10. Audits and inspections

10.1 Information

Blero will make available to the Controller the information reasonably necessary to demonstrate compliance with the obligations under Art. 28 GDPR and this DPA.

10.2 Audit

The Controller, or a third-party auditor mandated by the Controller (which is not a competitor of Blero), has the right to carry out audits, with at least 30 days' written notice, during business hours and in a manner that does not compromise the security or availability of the Service for other users. The Controller will bear the costs of the audit, unless the audit reveals a material non-compliance by Blero.

10.3 Aggregated audits

Should multiple Controllers request audits in the same period, Blero may satisfy such requests by means of a single audit conducted by an independent third-party auditor, sharing the results with the requesting Controllers, subject to confidentiality requirements.

11. Return and deletion of data

11.1 During the contractual relationship

The Controller may at any time export its data through the platform features or by requesting assistance from Blero.

11.2 Upon termination

Upon termination of the use of the Service (account cancellation):

  • Blero will delete all Personal Data processed on behalf of the Controller within 30 days of termination, save for retention obligations under Union or Member State law.
  • At the Controller's request, made before termination, Blero will provide a copy of the data in an exportable format.

11.3 Certification

At the Controller's request, Blero will provide written confirmation of the deletion of the data.

12. Liability

12.1 Blero's liability

Blero is liable to the Controller for damages caused by the processing only if it has not complied with the GDPR obligations specifically directed to Processors or if it has acted in a manner inconsistent with or contrary to the lawful instructions of the Controller.

12.2 Limitation

Blero's overall liability towards the Controller under this DPA is subject to the limitations set out in the Terms of Service (Section 11).

13. Final provisions

13.1 Precedence

In case of conflict between this DPA and the Terms of Service, the provisions of this DPA prevail with regard to the processing of Personal Data.

13.2 Changes

Blero may amend this DPA to comply with regulatory changes or to reflect changes in the Service. Material changes will be communicated to the Controller with at least 30 days' notice by email. Continued use of the Service after the changes take effect constitutes acceptance of the new conditions.

13.3 Governing law

This DPA is governed by Italian law. For any dispute, the jurisdiction indicated in the Terms of Service shall apply.

13.4 Contact

For any request relating to this DPA, you may contact privacy@blero.io.

Annex A — Processing instructions

The Controller's processing instructions are documented in the following tools:

  1. Terms of Service — define the general scope of the Service.
  2. Restaurant configuration — settings defined by the Controller in the admin panel (hours, notifications, privacy, data retention, marketing consent, no-show prevention).
  3. This DPA — defines the specific conditions of the processing.

Any change to the restaurant configuration by the Controller constitutes an update of the processing instructions.